SNS Topics should not allow global publishing

Ensure that your AWS Simple Notification Service (SNS) topics do not allow Everyone to publish.

Addresses: Security

Additional Reading:

• https://docs.aws.amazon.com/sns/latest/dg/AccessPolicyLanguage.html

SNS Topics should not allow global subscribe

Ensure that your AWS Simple Notification Service (SNS) topics do not allow "Everyone" to subscribe.

Addresses: Security

Additional Reading:

• https://docs.aws.amazon.com/sns/latest/dg/AccessPolicyLanguage.html

SNS Topic should be encrypted

Server-Side Encryption (SSE) must be enabled for the SNS topics. This ensures protection of sensitive data delivered as messages to subscribers.

Addresses: Security

Additional Reading:

• https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html
• https://docs.aws.amazon.com/sns/latest/dg/sns-enable-encryption.html
• https://aws.amazon.com/about-aws/whats-new/2018/11/amazon-sns-sse/

SNS Topic should be encrypted using CMK

SNS Topics should be encrypted with Customer managed keys (CMK) instead of AWS managed keys.

Addresses: Security

Additional Reading:

• https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html

Is Topic Exposed

Check if any topic is publicly accessible.

Addresses: Security

Additional Reading:

• http://docs.aws.amazon.com/sns/latest/dg/AccessPolicyLanguage.html

Is Subscription Secure Only

Ensure that subscribers get the data over secure-only protocol.

Addresses: Security

SNS Topic should have Subscription

Let there be no topics without subscription.

Addresses: Security, Operational Maturity

We suggest you use the checklist!

If you are not yet convinced to sign up with Cloudanix, that's not a problem. We recommend you use a comprehensive checklist which your team can use to perform a manual assessment of your workload.